Hard Numbers on Internet Crime

Current News Updates

Hard Numbers on Internet Crime

A recent headline claims that cybercrime is more profitable than the drugs trade.

How can this be true? Trafficking in drugs is a mature criminal enterprise, large scale professional Internet crime only emerged in the past five years. The number of daily security alerts issued by VeriSign iDefense increased from 21 per day to 59, a 180% rise. If the claim that Internet crime already earns $105 billion a year is true and the growth rate is even a fraction of that, we are in very, very serious trouble.

Knowing the true state of Internet crime is important; and not just if customers are paying you to accurately analyze the situation. The Chief Security Officers of banks and other financial institutions that are targeted by Internet crime make sure that they understand their own losses. Statistics that greatly exaggerate the size of the problem only confuse the situation. CSOs are busy enough trying to stop Internet crime without the CEO asking if the loss figures they are reporting are correct.

Strong claims demand high levels of proof. The source of the “more profitable than drugs” claim turns out to be an anonymous headline writer for Reuters. The article itself is based on an interview with Valerie McNiven, an analyst with Cybrinth after she gave a presentation at an information security conference in Ryadh. The first line of the article states: “Global cybercrime generated a higher turnover than drug trafficking in 2004”. This is a very different claim, turnover and profits are very different things as anyone who has invested in an Internet startup knows.

Another problem with the statement is that the term cybercrime means different things to different people. A separate account of the same presentation in TechWeb explains that the definition of cybercrime used was much broader than the phishing, advance fee fraud and extortion rackets typically considered to be the principal forms of Internet crime. Instead the cybercrime definition “included corporate espionage, manipulation of stocks, child pornography, cyber-extortion and various forms of piracy.”

Recording industry executives are understandably concerned about online file trading networks but it makes little sense to describe the hypothetical loss due to piracy as ‘turnover'. The recording industry certainly suffers damage from piracy; professional copyright thieves certainly make very large sums of money from piracy. But the amount of money made by the pirates is very much less than the damage they cause.

The same is true of almost every type of crime, Internet crime is no exception. The spammer who sends out a hundred million emails is unlikely to see more than a thousand responses. If the product has a profit of $10 the net gain to the spammer is $10,000. The cost to network providers, anti-spam service providers and readers whose time is wasted is at least ten times greater.

Overstating the profitability of Internet crime makes the problem worse by encouraging more people to try it. Internet crime is certainly very profitable for some but the profits they make are certainly nowhere near $105 billion and only a small number make a significant profit before they are caught.

The article's suggestion that law enforcement cannot catch up because phishing sites are taken down ‘”within 48 hours” is equally unhelpful. The phishing gangs would much prefer the sites to remain up much longer. The sites are taken down because of the work done by VeriSign Anti-Phishing services and other security teams working with ISPs around the world to bring down phishing sites as fast as possible. The aim of these teams is to bring the sites down in minutes or hours, not days.

Law enforcement has been catching up with an increasing number of Internet criminals. The US Department of Justice recently announced guilty pleas by six of the 21 US defendants accused of running the ‘Shadowcrew.com' marketplace for credit card fraud. The Shadowcrew gang were caught by the US Secret Service working with law enforcement in six other countries. Earlier this year police in Brazil arrested 50 alleged members of a phishing ring.

The gangs are believed to be amongst the largest Internet crime organizations. The sums involved in these crimes are certainly very large, over $4 million in the Shadowcrew indictment and an estimated $37 million in the Brazilian case. But these figures suggest that the true extent of Internet crime is much closer to the $995 million estimate given by Gartner group than the $105 billion figure of McNiven.

Internet crime is certainly a serious problem that will get much worse in the short term. But work is already underway to mitigate the immediate impact of Internet crime and major changes to the Internet infrastructure are being planned that will make its fabric considerably more resistant to Internet crime.

It is not quite fair to say that the Web was not designed to be secure. A great deal of effort went into trying to secure the Web, some of which made it into the Web itself. As one of those who tried (and failed) to design security into the Web our correspondent believes that a fairer statement would be that in 1995 we did not understand what the security needs of the Web would be in 2005.

Those security needs are understood much better today. For example we understand that security is not just the ability of the bank to identify their customer, the customer has to be able to easily and reliably identify the bank. We understand that the Web now has over a billion users and we can no longer design systems for the technically literate.

We also understand that the security impact of the Web goes far beyond the Web itself. The phishing problem began when a group of hackers discovered a way to turn a stolen credit card number into a card and PIN number they could use to withdraw cash from an ATM machine. That particular attack has now been (largely) blocked but the phishing gangs continue to find ways to use the Web to magnify the effect of weaknesses in the financial services infrastructure.

At the root of the phishing problem is the fact that a credit card number or a password is not a very good way of protecting money. Internet crime makes the replacement of these outdated techniques an urgent priority. But it is a priority that there is still time to carefully analyze and plan for. We must upgrade the Internet infrastructure to make it crime resistant but we cannot change the internet every day. We have a limited number of shots, we can and must take the time to aim them well.